From: Ian Jackson <Ian.Jackson@eu.citrix.com>
Date: Wed, 14 Nov 2012 11:45:37 +0000 (+0000)
Subject: compat/gnttab: Prevent infinite loop in compat code
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~7653
X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/cgi/%22https:/%22bookmarks://%22/%22http:/www.example.com/cgi/%22https:/%22bookmarks:/%22?a=commitdiff_plain;h=3376d387cd50bf58bffdd1259042793ac4a4cfc7;p=xen.git

compat/gnttab: Prevent infinite loop in compat code

c/s 20281:95ea2052b41b, which introduces Grant Table version 2
hypercalls introduces a vulnerability whereby the compat hypercall
handler can fall into an infinite loop.

If the watchdog is enabled, Xen will die after the timeout.

This is a security problem, XSA-24 / CVE-2012-4539.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
---

diff --git a/xen/common/compat/grant_table.c b/xen/common/compat/grant_table.c
index b5249559d6..a6e8814770 100644
--- a/xen/common/compat/grant_table.c
+++ b/xen/common/compat/grant_table.c
@@ -318,6 +318,8 @@ int compat_grant_table_op(unsigned int cmd,
 #undef XLAT_gnttab_get_status_frames_HNDL_frame_list
                 if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) )
                     rc = -EFAULT;
+                else
+                    i = 1;
             }
             break;
         }